FAIR Institute Blog

RSAC 2020 Report – Big Turnout for 2 FAIR Seminars, Breakfast Advice on Starting a FAIR™ Program from Jack Jones and Fannie Mae, Ascena Retail CISOs

[fa icon="calendar"] Feb 27, 2020 10:28:45 AM / by Luke Bader

Luke Bader

RSAC20 Jack Jones FAIR Seminar CAPMore than 700 attended two half-day seminars on Monday for an introduction to FAIR led by its creator, Jack Jones, headlining a week of events at the 2020 RSA Conference that together add up to the most recognition ever for FAIR™ and risk quantification at the biggest security conference. 

RSA had teed up the interest by naming FAIR among the major themes of the year in its Trend Report, then scheduled multiple FAIR-themed sessions, including appearances by FAIR book co-author Jack Freund and by FAIR practitioners from NASA, ADP, PNC Bank and others.  

More than 100 new members have signed up for the FAIR Institute in the first days of RSAC 2020. And the Institute’s annual breakfast, held Wednesday morning filled every seat in the room. Also a sellout: the Sunday and Monday FAIR Fundamentals training course, taught by RiskLens Academy.


Did you attend the 2020 RSA Conference? We want to hear what you found most informative and your take on the maturity level of the cybersecurity profession. Take our short survey!


FAIR Institute Breakfast: Tips on “Building an Effective Cyber Risk Management Program that Actually Works”

FAIR Breakfast Crowd Scene Cap

FAIR Institute President Nick Sanna opened the breakfast event with an update on Institute membership – now over 7,700 with 1,000 joining in the last 100 days. One of the drivers, he said, was the increasing acceptance by risk management authorities: major frameworks NIST CSF and COSO ERM point to the FAIR standard, and leading consultancy Gartner is urging the move to risk quantification


Coming soon to the FAIR Institute website: Complete video of the FAIR Breakfast during RSAC 2020.


Mark Tomallo - Chris Porter - Jack Jones  - 2020 RSAC FAIR Institute Breakfast Cap
Key Points from Jack Jones and CISOs on Adopting FAIR

Jack was joined by CISOs Mark Tomallo of Ascena Retail Group and Christopher Porter of Fannie Mae for a ground level view of introducing and fostering cyber risk quantification in a large organization. “It’s a change management exercise,” Jack said. “You’re changing the way people perform their jobs and make decisions…It’s a bit of a minefield but there are ways to navigate it.” 

Jack identified the two biggest change management obstacles are attitudes that quantification is “too difficult” and the usual, subjective approach to risk analysis is “good enough”.  In fact, “there’s no advantage to doing really easy risk management” which may seem to be “no cost up front but all the cost comes later” when unanticipated losses hit. 

Jack laid out a roadmap for FAIR adoption that starts with the “Why”, the result of conversations with stakeholders to discover the pain points in the organization. “If you understand the obstacles and pain points, you can choose a starting point that can vastly improve your outcomes.” Then launch your program with the idea that “it’s a continual evolution.”

FAIR Breakfast QRMP Roadmap

Jack Jones’ Roadmap for a Quantitative Risk Management Program

Start by applying high level FAIR analysis to your list of top risks to triage them.  “You can get a tremendous amount of clarity about what matters in your risk landscape without a lot of investment,” Jack advised.  

“The more you go up the scale, the more resources required but the more value you get.”  With increasing staff sophistication, a risk quantification platform (such as RiskLens, by the technical adviser to the FAIR Institute) and expert help, a program goes up the scale to provide operational decision support (for instance, through cost-benefit analyses) then strategic decision support (such as management of a risk portfolio) and finally to “cyber risk management nirvana,” automated decision support with a real-time risk dashboard.  

“There’s no single starting point – but the point is to get started “solving problems sooner rather than later.” 

FAIR Breakfast Chris Porter Fannie Mae - FAIR Helps with Better Business Decisions

Fannie Mae CISO Chris Porter: FAIR Supports Many Kinds of Business Decisions

Chris gave examples of how FAIR revealed insights for cost-cutting that went beyond bread-and-butter decisions on comparing cybersecurity controls. Fannie Mae was able to reduce its exposure to potential data breach credit monitoring and notification costs by changing contracts to eliminate holding Social Security numbers and reduce its cyber insurance premiums by fine-tuning the policy to avoid over-paying for lower risks.

FAIR Breakfast - Mark Tomallo - Ascena Retail

Ascena Retail CISO Mark Tomallo: Make a Careful, Phased Effort to Socialize FAIR

Mark described a well thought-out plan to engage different stakeholders, starting with switching to FAIR nomenclature in all risk conversations, involving SME’s and line-of-business owners to create loss tables, gathering top risks lists from VPs, running FAIR analyses in stealth mode and exposing results to stakeholders when it serves their interests. Mark said he knew he was succeeding when he turned back a finding from audit on a “material weakness” over default passwords that, under FAIR analysis turned out to be a negligible risk. 


Coming soon to the FAIR Institute website: Complete video of the FAIR Breakfast during RSAC 2020.


Related:

Webinar on Demand: How Fannie Mae Integrates FAIR™ Cyber Risk Analysis and Threat Intel

 

Luke Bader

Written by Luke Bader

Luke Bader is Director, Membership and Programs for FAIR Institute

Join the FAIR Community